"This means the privacy of your end-to-end encrypted group chat is only guaranteed if you actually trust the WhatsApp server."
"This undermines the entire purpose of end-to-end encryption."
"And yet, the entire point of end-to-end encryption is to remove the server from the trusted computing base."
"The challenge here is that since WhatsApp itself determines who the administrators are, this isn't quite so simple."
Not only does this system require trusting a third party, that party is none other than Facebook. Its business is built on learning about the lives of users and selling ads, not serving as a naive broker of "secure messages".
This is a weakness that not only requires WhatsApp to be malicious but to not care about the trivial visibility of an exploit (the client would still display the extra person being added to the group chat).
They have a feature where you can invite people to the group with a link that requires the server being able to add people. Isn't that a fairly obvious motive?
"Do we trust the WhatsApp server?" -- could be also formulated as: "Do we trust the WhatsApp client?". It is obviously made by the same people. Both are closed source and the protocol is reverse engineered. What's the point if they made an auditing but do not communicate the results? It's probably not too surprising if reverse engineering points out vulnerabilities. It's a fenced ecosystem which claims to establish a secure communication but does not.
> It's a fenced ecosystem which claims to establish a secure communication but does not.
Your concern extends for all systems that require centralisation. Possibly one example of a chat client which addresses the concerns you raise is Ricochet [1].
Your Ricochet messaging client instance acts as a Tor hidden service. Your add contacts by their ricochet ID which is derived from an onion address. There is no central server / service involved. Everything is direct p2p between your messaging client and your peers.
The source code has been audited by NCC group [2].
It's limited - text only, no attachments, no voice.
If your threat model includes adversaries such as nation states, then this is perhaps the tool to use for simple text messaging.
Having an open source client and server would help how? How would you know the server is running that software? Or that the binaries distributed via the App Store don't have some special spice?
And as far as I know the whatsapp protocol is simply tokenised XMPP.
If you have proper end to end encryption protocol and client which correctly implements the protocol without additional backdoors then it doesn't matter what the server runs. If the client is open source you can verify and build it yourself or download the binary from source that you trust.
The attack is real but I’m not impressed by the way they paper over the notifications you’d get that they consider ‘easy to miss’. The messages you get when someone gets a new phone/key are even easier to miss and they’re off by default.
The point is that the server doesn’t know if they’re off and if you’re paying attention so if it’s cheating it runs the chance of being detected.
Seems like this could be fixed fairly easily with a set of gatekeeper options. When a group gets created, you could have the option of making the group Public (anyone can join), Invite-Only (anyone can join with an invitation from someone already in the group), or Vetted (requires an invitation to join and the person who made the group must approve each person who tries to join).
That way, you account for varying levels of paranoia.
I have been subject of a probing attack on Signal. The attacker put a collection of messages into a group chat and see which ones made it in. Randomly, I am in a group Signal chat with 8-9 other people in my area code.
"The researchers say that Open Whisper Systems, the non-profit that runs and maintains Signal, nonetheless responded to their work, saying that it's currently redesigning how Signal handles group messaging. Open Whisper Systems declined to comment on the record to WIRED about the Ruhr researchers' findings."
"In a phone call with WIRED, a WhatsApp spokesperson confirmed the researchers' findings. [...]And the WhatsApp spokesperson also noted that preventing the Ruhr University researchers' attack would likely break a popular WhatsApp feature that allows anyone to join a group simply by clicking on a URL."
So I don't think WhatsApp will fix it.
And to be honest, it could be better for security not fixing it. This way people will stay with whatsapp and most chats remain e2e encrypted and safe. If Whatsapp breaks these features, people could switch to other messengers without e2e encryption (e.g. Facebook messenger) for group chats.
And for those concerned about the issue, you can monitor the member list and make sure you carefully check all messages. If you're really concerned about encryption that's what you should do anyway.
It seems like all signal has to do is to take the step of validating that the member sending the "group management" message is already in the group first.
So they didn't bother to check if the add to group message was from someone in the group?
I mean no offense to the developers, but this seems like a fairly basic oversight and quite concerning that respected and popular products didn't get this level of review until now.
No crazy cryptographic mess involving improper ordering of authentication or weird random number generation, this is a simple logic bug. One that I'm sure many of us would have considered if we were implementing it, things like this do get missed too of course, but enough eyes on the design could have caught this.
> One that I'm sure many of us would have considered if we were implementing it, things like this do get missed too of course, but enough eyes on the design could have caught this.
It wasn't a design flaw, it was an insecure-direct-object-reference implementation flaw. IDORs are extremely common, but since the group id is an unguessable 128 bits, the bug can only be used by someone who was already in the group previously to rejoin the group. I'm sure it'll get patched shortly, if it hasn't been already.
For the WhatsApp case, a malicious WhatsApp server could add someone to your group, but everyone in the group would see it.
These bugs are not big deals. The real harm comes from regular people reading articles like the Wired one or the famously wrong Guardian one and switching to much worse alternatives, like SMS or Telegram.
> The real harm comes from regular people reading articles like the Wired one or the famously wrong Guardian one and switching to much worse alternatives, like SMS or Telegram.
I can understand why you give SMS as an example, because it is just plaintext. But why Telegram? As far as I know Telegram is probably better secured over a service like Whatsapp.
Edit: the latter is an assumption from me, I do not have any claims to back this up. Thats why I'm asking.
People are in jail because they felt secure using Telegram. It's the kind of people who should be in jail, but nonetheless it is beyond me how anyone could still use it.
"This undermines the entire purpose of end-to-end encryption."
"And yet, the entire point of end-to-end encryption is to remove the server from the trusted computing base."
"The challenge here is that since WhatsApp itself determines who the administrators are, this isn't quite so simple."
Not only does this system require trusting a third party, that party is none other than Facebook. Its business is built on learning about the lives of users and selling ads, not serving as a naive broker of "secure messages".